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ABSTRACT 

Trust  is  the  expectation  of  a  person  about  another 
person’s  behavior.  Trust  is  important  for  many  secu¬ 
rity  related  decisions  about,  e.g.,  granting  or  revoking 
privileges,  controlling  access  to  sensitive  resources  and 
information,  or  evaluating  intelligence  gathered  from 
multiple  sources.  More  often  than  not,  the  issue  is 
complicated  even  further  because  the  person  making 
the  decision  has  no  direct  trust  relationship  with  every 
single  subject  whose  trustworthiness  needs  to  be  eval¬ 
uated.  So,  the  decision  maker  needs  to  rely  on  recom¬ 
mendations  by  others,  and  then  somehow  aggregate 
the  trust  related  information  that  is  collected.  In  this 
work  we  provide  an  algebraic  framework  in  which  we 
can  describe  multiple  ways  that  trust  related  informa¬ 
tion  can  be  aggregated  to  form  a  single  value.  We 
show  the  similarities  and  differences  that  the  various 
so  called  trust  computation  algorithms  have,  and  asso¬ 
ciate  these  with  the  algebraic  properties  of  the  frame¬ 
work  that  we  consider. 


1.  INTRODUCTION 

Trust  is  a  weighted  binary  relation  between  two  mem¬ 
bers  of  a  network.  As  an  example,  consider  a  network 
of  intelligence  gathering  agents,  organized  in  a  hierar¬ 
chical  manner.  Trust  could  then  be  the  expectation  of 
a  person  A  (presumably  high  in  the  hierarchy)  that  a 
person  B  (low  in  the  hierarchy)  is  honest,  as  opposed, 
e.g.,  to  being  a  double  agent.  The  weight  of  this  rela¬ 
tion  is  then  a  way  to  quantify  this  expectation:  The 
greater  the  weight,  the  higher  the  expectation. 

Real  life  interactions  build  trust  (or  distrust)  be¬ 
tween  some  of  the  members  of  the  network.  In  this 
way,  what  we  call  direct  trust  is  created,  and,  since 
not  all  members  of  a  network  have  direct  interactions, 
such  direct  trust  links  do  not  exist  between  all  pairs. 
However,  members  without  direct  interactions  will  also 
need  to  make  trust  assessments  for  others,  as  in  our 


example  above.  Trust  computation  deals  with  the  cal¬ 
culation  of  these  indirect  trust  relations. 

Ultimately,  we  want  to  combine  all  relevant  direct 
trust  relations  and  associated  weights  to  come  up  with 
an  indirect  trust  value  (weight).  For  this,  first  of  all 
we  assume  that  trust  is  in  some  sense  transitive:  If  A 
directly  trusts  B  (to  some  degree)  and  B  directly  trusts 
C  (to  some  degree),  then  we  can  derive  how  much  A 
indirectly  trusts  C  (through  B).  Hence,  we  can  talk 
about  trust  paths  from  a  source  (A  in  this  case)  to  a 
destination  (C  in  this  case) .  These  paths  can  be  of  any 
length,  not  just  of  length  2,  as  in  this  case.  A  further 
observation  is  that  there  could  be  multiple  trust  paths 
from  A  to  C,  through  nodes  other  than  B,  and  all  these 
paths  will  be  relevant  for  the  trust  computation. 

Several  approaches  to  trust  computation  have 
been  proposed  in  the  literature  by  (Theodorakopoulos 
and  Baras,  2006),  (Jpsang,  1999),  (Levien  and  Aiken, 
1998),  and  others.  Unfortunately,  all  these  attempts 
have  been  made  in  a  relatively  ad-hoc  fashion.  With 
few  exceptions,  no  researchers  have  compared  their 
own  approach  to  the  others.  As  a  result,  someone 
-  say,  a  network  administrator  -  who  believes  that  a 
notion  of  trust  would  be  useful  to  incorporate  in  his  ad¬ 
ministrative  domain,  has  no  easy  way  to  choose  which 
trust  metric  would  be  more  suited  to  his  needs. 

It  is  this  omission  that  we  set  out  to  correct  in  this 
paper.  We  show  how  multiple  trust  computation  algo¬ 
rithms  can  be  seen  from  a  common  viewpoint.  Their 
properties  are  formalized  within  an  algebraic  frame¬ 
work.  The  benefit  of  this  approach  is  that  it  is  much 
easier  to  see  the  differences  and  similarities  that  ex¬ 
ist.  Moreover,  it  is  easier  to  design  an  algorithm  that 
satisfies  the  desired  set  of  properties  for  a  particular 
situation,  since  the  relevant  properties  are  clearly  sin¬ 
gled  out.  Finally,  it  is  easier  to  implement  and  evalu¬ 
ate  the  algorithms  under  a  common  software  solution 
which  makes  use  of  the  common  framework  that  all 
algorithms  are  instantiations  of. 
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The  rest  of  the  paper  includes  the  description  of 
our  system  model;  detailed  expositions  of  published 
algorithms  under  that  model;  requirements  that  the 
algorithms  are  intuitively  expected  to  satisfy;  and  al¬ 
gebraic  properties  that  the  algorithms  may  or  may  not 
have.  We  interpret  the  algebraic  properties  in  terms 
of  practical  implications.  Finally,  we  emphasize  pro¬ 
posals  on  evaluating  the  robustness  of  the  algorithms 
to  attacks  by  malicious  adversaries. 


call  concatenation  operator  and  denote  with  the  sym¬ 
bol  ®>,  is  used  to  combine  trust  values  along  a  path 
from  the  source  to  the  destination,  as  shown  in  Fig¬ 
ure  1.  More  formally,  consider  a  path  pi  from  the 
source  s  to  the  destination  d  comprising  of  the  edges 
ei  =  (s,ai),e2  =  (ai,  a2), . . . ,  ek  =  {ak-i,d).  The  rec¬ 
ommendation  trust  value  of  s  about  d  along  the  path 
Pi  is 

tPl  =  w(ei)  ®  w(e2)  8  . . .  ®  w(ek).  (1) 


2.  GENERAL  FRAMEWORK  AND 
DESCRIPTION  OF  ALGORITHMS 


Note  that  it  only  makes  sense  to  use  the  8  opera¬ 
tor  for  edge  weights  that  are  one  after  the  other,  i.e. 
form  a  directed  path  from  the  first  to  the  last. 


We  will  be  dealing  with  what  is  called  recommenda¬ 
tion  trust  in  the  literature,  as  opposed  to  direct  trust. 
In  other  words,  we  assume  that  direct  trust  has  al¬ 
ready  been  built  between  some  pairs  of  users  in  the 
network  through  real  life  interactions  or  otherwise,  as 
mentioned  earlier.  Then,  our  area  of  interest  is  the 
combination  of  these  direct  trust  values  into  indirect 
ones.  The  term  recommendation  comes  from  the  fact 
that  the  intermediate  trust  values  can  be  seen  as  rec¬ 
ommendations  of  users  for  other  users.  Also  note  that, 
in  general,  the  recommendation  trust  values  of  two 
users  A  and  A’  about  a  user  B  will  differ.  Different 
users  can  have  different  opinions  about  the  same  user. 

Our  model  of  this  situation  is  a  directed  graph 
G  =  (V,  E )  with  weights  on  the  edges,  the  weight  func¬ 
tion  being  w  :  e  — >  S,e  £  E.  The  set  S  contains  all 
possible  trust  values,  usually  from  some  minimum  to 
some  maximum  value.  The  nodes  of  the  graph  cor¬ 
respond  to  the  users,  and  the  edges  and  edge  weights 
correspond  to  the  direct  trust  relations  and  the  degree 
of  trust  associated  with  each  relation.  The  set  of  neigh¬ 
bors  of  a  user  i,  denoted  iV,;,  consists  of  all  nodes  j  £  V 
such  that  a  directed  edge  e  =  (i,  j)  exists.  We  distin¬ 
guish  a  source  node  s.  The  task  of  the  algorithm  that 
we  present  is  to  compute  the  source  node’s  opinions 
(recommendation  trust  values)  for  every  other  node 
(user).  That  is,  we  want  to  come  up  with  a  single 
value  in  S  for  each  user  in  the  network.  We  denote  s’ s 
recommendation  trust  value  for  user  d  by  t(s,d)  £  S , 
where  t  :  V  x  V  — >  S. 


Concatenation  Operator 


t(S,D)=w(S,A)®w(A,B)®w(B,D) 


g  j  w(S,AL(  A  \  w(A,BW  g  j  w(B.D)T  p 


Figure  1:  The  concatenation  operator  ®  is  used  to 
combine  opinions  along  a  path. 

The  second  operator,  which  we  will  call  sum¬ 
mary  operator  and  denote  with  the  symbol  ®,  is 
used  to  combine  opinions  computed  along  paths  that 
start  at  the  same  node  X,  and  end  at  the  same 
node  Y,  i.e.,  paths  that  are,  in  a  sense,  parallel  (see 
Figure  2).  More  formally,  consider  multiple  paths 
Pi,P2,  ■  ■  ■  ,pn  from  the  source  s  to  the  destination  d 
with  associated  computed  recommendation  trust  val¬ 
ues  tPl  ( s ,  d),  tP2  (s,  d), . . . ,  tPn  ( s ,  d).  The  total  recom¬ 
mendation  trust  is 

t(s,  d)  =  tPl  (s,  d)  ®  tp2(s ,  d)  ®  . . .  ®  tPn(s ,  d).  (2) 


Overall,  we  can  write 


Each  of  the  algorithms  that  we  present  differs  in 
the  values  and  interpretation  of  edge  weights  (the  set 
S),  and  the  way  the  function  t(s,  d)  is  computed  from 
the  graph  and  the  weights.  The  unifying  theme  is  the 
path  interpretation  that  can  be  given  to  these  com¬ 
putations.  More  specifically,  we  can  define  two  opera¬ 
tors  that  can  be  used  to  combine  the  available  direct 
trust  information.  The  first  operator,  which  we  will 


t(s,d)=  0  tp(s,d).  (3) 

path  p:s~^d 

We  now  proceed  to  describe  several  trust  compu¬ 
tation  algorithms  within  the  framework  that  we  have 
just  built.  For  each  algorithm,  we  will  give  the  defini¬ 
tion  and  interpretation  of  the  weights,  and  the  defini¬ 
tion  of  the  operators. 
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Summary  Operator 


2.1.2  Probability-Based 


t(S,D)=tp1(S,D)®tP2(S,D)©tP3(S,D) 


* 

-  ►  D 


Figure  2:  The  summary  operator  ©  is  used  to  combine 
opinions  across  paths. 


2.1  Information  Theoretic  (Sun  et  al.,  2006) 


2.1.1  Entropy-Based 

The  weight  is  derived  from  a  Bernoulli  probability 
mass  function,  which,  in  effect,  defines  the  probabil¬ 
ity  pab  that  user  B  is  trustworthy  according  to  user 
A.  The  weight  w(A,  B)  is  then  computed  as  a  func¬ 
tion  of  the  entropy  of  the  Bernoulli  distribution  in  the 
following  way: 

w(A,B)  =  {1-H{vab)'  ,0r#'S-W:;1'  (4) 

[H(pab)-  1,  for  0  <  pab  <  0.5. 

The  entropy  function  is  defined  as  H  ( p )  =  —  p  log2  p  — 
(1  —  p)  log2(l  —  p ),  and  since  0  <  p  <  1,  we  can  see 
that  —1  <  w(A,B)  <  1.  So,  in  this  case,  the  set  S  is 

S= 

The  concatenation  operator  is: 


The  weight  w(A,B)  in  this  case  is  a  pair  of  numbers 
(pab,  (Jab)-  The  number  pab  is  the  mean  of  a  Beta 
probability  distribution  function,  and  (jab  is  the  vari¬ 
ance  of  this  Beta  distribution.  It  is  interpreted  as  the 
confidence  that  user  A  has  about  the  trust  value  pab  , 
i.e. ,  how  certain  A  is  that  pab  is  an  accurate  estimate 
of  the  probability  that  B  is  trustworthy. 

As  an  aside,  a  Beta  pdf  is  often  used  in  the  lit¬ 
erature  to  model  how  direct  trust  values  appear  from 
direct  positive  and  negative  experiences  between  two 
users.  The  connection  is  that  if  user  A  has  a  positive 
and  b  negative  experiences  with  user  B ,  the  mean  of 
the  associated  Beta  pdf  will  be  and  the  variance 
will  be  (Q+fr)a°Q+;,+1)  ■  This  will  help  make  it  easier  to 
understand  why  the  summary  operator  does  what  it 
does.  However,  we  do  not  look  into  what  alternatives 
exist  to  the  generation  of  direct  trust  values.  Our  aim, 
as  we  have  noted,  is  to  compare  alternatives  to  the 
computation  of  recommendation  trust  values. 

The  concatenation  operator  is: 

w(A,  B)  0  w(B,  C )  =(pab,  <Jab)  ®  ( Pbc ,  <Jbc)  (7) 

=  (PABC,<JABc),  (8) 

where  the  two  components  are 

Pabc  =  pabPbc  +  (1  —  pab)(1  ~  Pbc)  (9) 

(JABC  =PAB(JBC  +  -pab) 

+Pab(  1  -  Pab)(%Pbc  —  l)2 


The  summary  operation  is  done  through  an  inter¬ 
mediate  transformation  : 


w(A,  B)  0  w(B,  C)  =  w(A,  B)w(B,  C),  (5) 


t^(s,d)®t^(8,d)  =  (pZ,aZ)  ®  (PM)  (11) 


i.e.,  regular  multiplication. 

The  summary  operator  is: 

tPl  (s,  d)  0  tP2  ( s ,  d)  =  p  1  1  p  tPl  (s,  d)+ 
w(e^  )  +  w(e\  ) 


ITT 


w(ePl)  +  w(e{2) 


Each  (p,  a)  pair  is  transformed  to  an  (a,  b)  pair. 
Then,  the  two  pairs  (ai,  b±)  and  (<22, 62)  are  composed, 
and  the  result  is  transformed  back  to  a  (p,  a)  pair. 

(P,  *)  -  («,  b)  =  (p(^i  -  1),  (1  -  P)(p-H^l  -  1)) 

(12) 

(ai,  b\)  ©  (02, 62)  =  («i  +  a2  —  1,  61  +  62  —  1)  (13) 


=  <14) 


i.e.,  a  weighted  sum,  where  the  weight  of  each  path  is 
proportional  to  the  trust  value  on  the  first  edge  of  the 
path. 
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2.2  EigenTrust  (Kamvar  et  al.,  2003) 

The  weights  in  this  case  are  real  numbers  between 
0  and  1:  S  =  [0,1].  The  weights  are  normal¬ 
ized  on  a  user-per-user  basis,  i.e. ,  for  each  user  i, 

Ej&nM^j)  =  L 

The  concatenation  operator  is: 
w(A,  B)  <g»  w(B,C)  =  w(A,  B)w{B,C),  (15) 

i.e.,  regular  multiplication. 

The  summary  operator  is: 

tPl  (s,  d)  ©  tp 2  (s,  d)  =  tPl  (s,  d)  +  tP2  (s,  d),  (16) 

i.e.,  regular  addition. 


i.e.,  multiplication  of  the  values  divided  by  4.  The  di¬ 
vision  by  4  is  presumably  done  to  normalize  the  values 
to  have  a  maximum  equal  to  1,  but  this  is  not  explicitly 
stated  in  (Abdul-Rahman  and  Hailes,  1997). 

The  summary  operator  is: 

tPl(s,d )  ©  tP2{s,d)  =  i tPl(s,d )  +  ^tP2(s,d),  (20) 

i.e.,  averaging.  This  operator  can  be  applied  to  multi¬ 
ple  opinions  at  once,  taking  the  average  of  all  of  them: 

tPl  (s,  d)  ©  tp2  (s,d)  ©  . .  .®tp  (s,  d)  = 

1  (21) 
~(tpl  (s,  d)  +  tp2  (s,d)  +  ...  +  ip"  {s,  d)). 
n 

2.5  Subjective  Logic  (Jpsang,  1999) 


2.3  Probabilistic  (Maurer,  1996) 


In  this  case  the  weights  are  treated  exactly  as  prob¬ 
abilities:  S  =  [0,1].  A  weight  w(A,B)  is  interpreted 
to  be  the  probability  that  the  directed  edge  (A,  B)  ex¬ 
ists.  Then,  the  recommendation  trust  value  of  user  s 
for  user  d  is  equal  to  the  probability  that  there  ex¬ 
ists  at  least  one  directed  path  from  s  to  d.  We  assume 
throughout  that  the  probabilities  on  different  edges  are 
independent. 

The  concatenation  operator  is: 
w(A,  B)  ©  w(B,C)  =  w(A,  B)w{B,C),  (17) 

i.e.,  regular  multiplication. 

The  summary  operator  is: 
tPl  (s,  d)  ©  tP2  (s,  d)  =  tPl  (s,  d)  +  tP2  (s,  d) 

-tPl(s,d)tP2(s,d),  [  ’ 

which  is  derived  from  the  simple  law  of  the  probability 
of  the  union  of  two  events:  P(AUB)  =  P(A)  +  P(B)  — 
P(A  n  B)  =  P(A)  +  P(B )  -  P{A)P{B). 


The  weights  are  ordered  triplets  of  positive  real  num¬ 
bers  that  sum  to  1 :  S  =  (b,d,u),b  +  d  +  u  =  l,b,d,u  € 
[0,1].  These  three  numbers  are  called,  respectively, 
belief,  disbelief,  and  uncertainty. 


The  concatenation  operator  is: 


w(A,B)  ©  w{B,  C)  =  (bi,di,ui)  ©  ( b2,d2,U2 ) 
=  (&1&2,  b\d2,  di  +  ui  +  &1U2). 


(22) 


The  summary  operator  is: 
tPl  (s,  d)  ©  tP2{s,  d)  =  (bPld,  dPld,  uPld )  ©  {bP2d,  dP2d,  u\ 


iPluP2 

Jsdasd 


+  bPsduTd  +  uTduPsd 


(23) 


where  k  =  upd  +  uP2d  —  uPhuP2 


lsdu'sd' 


2.6  Path-strength  (Lee  et  al.,  2003) 


The  weights  are  real  numbers  between  0  and  1:  S  = 

[0,1]- 


2.4  Multi-level  (Abdul-Rahman  and  Hailes, 
1997) 


2.6.1  Strongest  Path 


The  weights  are  discrete:  S  =  {  — 1, 0, 1, 2,  3, 4}.  The 
interpretation  ranges  from  complete  distrust  (-1),  to 
ignorance  (0),  to  increasing  levels  of  trust  (1,2, 3, 4). 


The  concatenation  operator  is  the  min  operator: 
w{A,  B)  ©  w(B,  C)  =  min(w;(A,  B),w(B,  C)).  (24) 


The  concatenation  operator  is: 


w(A,  B)  ©  w(B,  C) 


w(A,  B )  w(B,  C) 


The  summary  operator  is  the  max  operator: 
tPl  (s,  d)  ©  tP2(s,  d)  =  ma x(tPl  (s ,  d) ,  tP2  (s ,  d)) .  (25) 


4 


4 


(19) 
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2.6.2  Weighted  Sum  of  Strongest  Disjoint 
Paths 

The  concatenation  operator  is  the  min  operator: 
w(A,  B)  <g>  w(B,  C )  =  min(u;(A,  B),  w(B ,  C)).  (26) 

The  summary  operator  is  similar  to  the  one  in 
2.1.1,  a  weighted  sum  of  paths,  where  the  weights  are 
those  of  the  first  edges  on  each  path.  The  difference  is 
that  now  the  paths  are  required  to  be  disjoint. 

2.7  Graph  flows  (Levien  and  Aiken,  1998) 

This  and  the  next  algorithm  are  based  on  arguments 
related  to  flows  in  graphs. 

In  this  algorithm,  the  edge  weights  are  viewed  as 
capacities.  A  unit  flow  is  sent  out  from  the  source  s, 
and  the  trust  value  for  the  destination  d  is  equal  to  the 
fraction  of  the  flow  that  reaches  the  destination.  Edge 
weights  are  again  between  0  and  1:  S  =  [0, 1]. 

We  can  define  the  concatenation  and  summary  op¬ 
erators  as  follows: 

The  concatenation  operator  is  the  min  operator: 
w(A,  B)  ®  w(B,  C )  =  min(u>(A,  B),  w(B ,  C)).  (27) 

The  summary  operator  is  regular  addition: 
tPl  (s,  d)  ©  tp 2  (s,  d)  =  tPl  (s,  d)  +  tP2  (s,  d).  (28) 

2.8  Certificate  Insurance  (Reiter  and  Stub- 
blebine,  1999) 

In  this  algorithm,  the  weights  are  nonnegative  real 
numbers:  S  =  [0,oo).  Again,  the  algorithm  is  a  flow 
algorithm,  just  as  the  previous  one.  The  same  opera¬ 
tors  apply.  However,  the  interpretation  of  the  weights 
is  different.  Here,  weights  are  expressed  in  monetary 
terms,  in  particular  dollars.  An  edge  (i,  j)  corresponds 
to  a  public  key  certificate  that  user  i  has  issued  for  the 
public  key  of  user  j.  The  weight  w(i,j)  is  the  amount 
of  dollars  that  i  agrees  to  pay  to  someone  who  believes 
that  i’s  certificate  is  correct  and  later  it  turns  out  that 
it  was  not.  This  amount  of  dollars  can  be  thought  of 
as  a  kind  of  insurance. 


3.  REQUIREMENTS  FOR  TRUST 
METRICS 

So  far,  we  have  listed  several  pairs  of  concatenation 
and  summary  operators.  All  of  them  are  used  to  do 
the  same  calculation,  that  is,  compute  the  recommen¬ 
dation  trust  value  that  a  source  node  s  should  place 
on  a  destination  node  d.  Based  only  on  our  intuition 
about  this  objective  we  can  derive  some  conclusions 
about  the  desirable  behavior  of  the  operators.  In  this 
section  we  discuss  some  conditions  that  these  opera¬ 
tors  should  satisfy. 

First  of  all,  a  user  should  not  be  able  to  unilater¬ 
ally  increase  the  source’s  recommendation  trust  value 
for  the  destination  to  a  level  higher  than  the  source’s 
trust  value  for  the  user  himself.  In  other  words,  if  s’s 
trust  in  user  i  is  t(s,i )  €  S,  then  tPi(s,d)  A  t(s,I), 
where  A  is  a  partial  order  defined  on  S,  and  Pi  is  the 
set  of  paths  from  s  to  d  that  pass  through  i.  The 
rationale  is  to  avoid  maliciously  manipulated  reports 
of  trust  values  by  users.  A  user’s  trust  values  about 
others  cannot  be  trusted  more  than  the  user  himself. 
At  the  most,  a  user  can  give  the  maximum  trust  value 
to  everyone  else,  but  even  then,  we  do  not  want  the 
source  to  increase  its  own  trust  values  for  everybody 
beyond  some  level. 

On  a  related  note,  if  s  knows  about  d  only  through 
i.  i.e. ,  the  path  s  •w  i  d  is  the  only  path  from  s  to  d, 
then  s  cannot  trust  d  more  than  how  much  i  trusts  d. 
Simply,  there  is  no  reason  for  s  to  be  more  optimistic 
than  i’s  recommendation  is.  Continuing  from  the  last 
paragraph,  tPi(s,d)  A  t(i,d).  Translating  these  con¬ 
siderations  into  a  condition  for  the  concatenation  op¬ 
erator,  we  impose  that  trust  should  decrease  along  a 
path. 

a  <8>  b  A  a,b,  a,b  £  S.  (29) 

We  now  come  to  the  summary  operator,  which 
deals  with  aggregating  recommendation  trust  values 
derived  from  different  paths.  Throughout  the  litera¬ 
ture  there  is  a  prevailing  notion  that  more  independent 
paths  are  better  than  fewer  (Reiter  and  Stubblebine, 
1998).  More  paths  should  in  a  sense  be  better  than 
fewer  paths,  since  more  evidence  is  better  than  less 
evidence.  It  takes  more  malicious  users  to  collaborate 
and  subvert  the  trust  computation  algorithm,  since  at 
least  one  is  needed  on  every  path  from  the  source  to 
the  destination. 

But  it  is  not  the  trust  value  that  should  increase; 
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it  is  the  confidence  in  the  accuracy  of  the  computed 
value,  as  long  as,  and  to  the  extent  that  the  trust  val¬ 
ues  of  different  paths  agree.  In  other  words,  if  all  rec¬ 
ommendations  agree  that  the  destination  is  untrust¬ 
worthy,  then  it  stands  to  reason  that  the  result  of  the 
summary  operator  should  not  increase  the  trustwor¬ 
thiness  of  the  destination. 

However,  this  conclusion  is  not  always  correct. 
What  happens  if  some  recommendations  are  positive 
and  some  are  negative?  Then  two  results  are  possi¬ 
ble:  One  is  that  the  confidence  in  the  accuracy  of  the 
computed  value  should  decrease,  since  the  recommen¬ 
dations  are  in  conflict.  The  other  one  is  that  the  com¬ 
puted  value  should  be  the  average  of  the  recommenda¬ 
tions  (possibly  weighted  by  the  respective  confidence 
values),  while  the  confidence  in  its  accuracy  should  in¬ 
crease. 

Which  one  is  more  correct  depends  on  the  par¬ 
ticular  situation.  If  trust  is  ultimately  assumed  to  be 
binary,  i.e,  a  user  is  in  reality  either  fully  trustwor¬ 
thy  or  fully  untrustworthy,  then  the  summary  of  con¬ 
flicting  opinions  should  decrease  the  confidence.  This 
happens,  for  instance,  when  entities  in  the  network 
are  assumed  to  be  divided  in  either  friendly  or  enemy, 
with  no  gradation  in  between.  On  the  other  hand, 
trust  can  also  be  interpreted  to  be  something  that  can 
legitimately  be  grey,  as  opposed  to  just  black  or  white. 
It  can  be,  for  instance,  the  fraction  of  the  time  when 
a  user  has  been  seen  to  behave  in  a  cooperative  way, 
which  is  a  quantity  that  can  take  any  value  between 
0  and  1.  In  this  case  it  is  perfectly  admissible  to  say 
that  a  user  is  trusted  at  a  level  of,  say,  0.7.  Therefore, 
two  conflicting  opinions  could  be  reconciled  by  arguing 
that  the  two  recommenders  have  seen  different  aspects 
of  the  behavior  of  the  destination  user.  As  a  result,  it 
would  make  sense  to  compute  a  summary  value  as  the 
average  of  the  two  recommendations,  and  increase  the 
total  confidence  value  in  the  result. 

So  far,  we  have  mentioned  in  passing  a  distinction 
between  two  concepts:  trust  and  confidence.  We  de¬ 
fined  trust  to  be  an  estimate  of  the  behavior  of  a  user, 
and  confidence  to  be  the  accuracy  of  that  estimate. 
However,  not  all  the  algorithms  that  we  described  in¬ 
corporate  the  notion  of  confidence.  As  transpires  from 
the  discussion  in  this  section,  the  usefulness  of  con¬ 
fidence  is  more  apparent  when  there  exist  conflicting 
opinions.  So,  one  situation  that  simplifies  things  is 
when  conflicting  opinions  are  not  needed,  or  can  be 
explicitly  forbidden  to  exist.  This  saves  us  the  trouble 
of  having  to  deal  with  malicious  users  falsely  accusing 
benign  ones,  but  also  prevents  good  users  from  notify¬ 
ing  the  network  about  potential  misbehavior  that  they 


have  noticed.  If,  for  instance,  trust  values  are  used  for 
access  control  decisions,  then  disallowing  conflicting 
opinions  amounts  to  disallowing  revocation  of  privi¬ 
leges.  Whether  this  can  be  tolerated  or  not  depends 
on  the  particular  situation. 

4.  ALGEBRAIC  PROPERTIES  OF  THE 
OPERATORS 


After  going  over  the  intuitive  properties  that  we  would 
like  the  operators  to  have,  and  the  conditions  under 
which  we  would  like  them  to  have  those  properties, 
we  now  proceed  to  the  algebraic  properties  of  these 
operators.  The  motivation  for  talking  about  algebraic 
properties  is  that  they  can  be  linked  to  issues  with  the 
numerical  results  that  the  computation  returns.  As  a 
high  level  example  to  be  elaborated  on  later,  with  cer¬ 
tain  operators  it  could  happen  that  some  edge  weights 
are  taken  into  account  twice,  which  is  clearly  undesir¬ 
able.  Moreover,  related  to  the  algebraic  properties  are 
performance  issues,  as  well  as  whether  the  computa¬ 
tion  can  be  done  in  a  distributed  manner  or  not. 

First  and  foremost,  both  operators  should  be 
closed  with  respect  to  the  set  S,  that  is,  if  o,  b  G  S, 
then  a  ®  b  £  S,  and  a  ®  b  £  S.  The  reason  is  that 
our  admissible  results  are  in  the  set  S,  and  any  value 
outside  S  has  by  definition  no  meaning  in  our  compu¬ 
tations.  If  S  and  <g)  satisfy  this  property,  then  the  pair 
(S,  <S>)  is  called  a  magma  or  a  groupoid.  Similarly  for 
the  pair  (S,  ©).  Although  this  look  like  a  fundamental 
property,  some  times  it  can  be  tricky  to  get  right.  For 
example,  in  one  of  the  two  proposed  algorithms  in  (Sun 
et  al.,  2006),  presented  in  Section  2.1.1,  the  summary 
operator  is  not  closed  for  the  set  S  =  [—1,1]-  That 
summary  operator  is  weighted  averaging  and  it  would 
create  a  problem  in  a  situation  where  the  following 
holds  for  four  users  A,  B,  C,  and  D: 

w(A,  B)  =  0.95  w(B,  C)  =  1  (30) 

w(A,  D)  =  —0.9  w(D,  C)  =  1  (31) 

The  algorithm  would  then  compute 

t{A,  D)  =  tABC(A,  C )  ©  tADC(A,  C) 

=  w(A ,  B)w{B ,  C)  ©  w(A ,  D)w{D1  C) 

=  w{A^B)+w{A,D)W(A,  B)w(B,  C) 

32 

=  ora°-95'1  +  ara(-°-9-1) 

=  34.25  ^  S  =  [-1,1] 
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A  property  for  the  summary  operators,  which  is 
so  natural,  that  is  satisfied  by  all  summary  operators 
described  above,  is  the  commutativity  property: 

a  ©  b  =  b  ©  a,Va,  6  €  S  (33) 

Remembering  that  a  and  b  correspond  to  recom¬ 
mendation  values  derived  from  paths,  we  can  see  that 
it  would  not  make  sense  to  differentiate  between,  in  ef¬ 
fect,  the  names  of  the  two  paths  when  combining  them. 
Commutativity  makes  the  pair  (5,  ®)  a  commutative 
magma. 

We  do  not  need  commutativity  for  the  ©  oper¬ 
ator.  This  makes  sense,  since  reversing  the  order  of 
the  edges  of  a  path  need  not  necessarily  result  in  the 
same  outcome.  However,  we  note  that  some  of  the 
concatenation  operators  proposed  are  indeed  commu¬ 
tative  (e.g.  •,  min).  This  is  not  a  problem,  as  long  as 
the  computation  algorithm  does  not  explicitly  rely  on 
the  commutativity  of  this  operator. 

Another  property  of  interest  is  associativity,  and 
we  would  like  both  operators  to  be  associative: 

a®  (6®  c)  =(affi  b)  ©  c  (34) 

a  ©  (b  ©  c)  =(a  ©  b)  ©  c,  Va,  b,c  €  S  (35) 

The  reasoning  is  that  the  order  in  which  the  oper¬ 
ator  is  applied  should  not  matter.  The  justification  in 
the  case  of  the  summary  operator  is  that,  if  we  have 
computed  a  recommendation  trust  value  based  on  the 
currently  available  information,  and  then  another  path 
appears,  we  want  to  be  able  to  just  “add”  together  the 
information  from  the  new  path,  and  not  do  the  whole 
computation  from  scratch.  This  pertains  to  the  effi¬ 
ciency  of  the  computation,  especially  when  done  over 
a  network  where  information  will  arrive  with  different 
delays.  Unfortunately,  one  intuitive  summary  opera¬ 
tor  -  namely,  averaging  -  is  not  associative  in  general: 

3a,b,c  £  S  :  avg(a,  avg(6,  c))  =£  avg(avg(a,  b),  c)  (36) 

The  averaging  operator  is  intended  to  average  over 
all  available  paths  simultaneously,  and  not  to  include 
them  one  by  one.  However,  in  distributed  environ¬ 
ments,  this  leads  to  the  problems  just  stated.  One 
way  to  overcome  this  problem  would  be  to  count  the 
number  of  paths  already  taken  into  account  in  the  cur¬ 
rent  result,  so  as  to  weight  properly  the  current  result 
and  the  new  path  value. 

When  it  comes  to  the  concatenation  operator,  as¬ 
sociativity  means  that  the  final  result  should  depend 
only  on  the  order  with  which  the  edges  appear  in  the 


path,  but  not  on  the  order  with  which  we  choose  to  do 
the  calculations.  Associativity  is  not  satisfied  by  all 
the  concatenation  operators  we  have  presented.  For 
example,  the  operator  presented  in  Section  2.1.2  is 
not  associative.  However,  whether  this  is  a  significant 
problem  or  not  depends  on  the  actual  computation  al¬ 
gorithm  and  the  way  it  is  implemented  distributedly. 

As  far  as  algebraic  terminology  goes,  the  pair 
(S,  ©)  is  now  a  semigroup ,  whereas  the  pair  (S,  ©)  is 
a  commutative  semigroup. 

The  last  property  we  will  consider  is  the  distribu- 
tivity  (left  and  right)  of  ©  over  ©: 

a  ©  (6  ©  c)  =(a  ©  b)  ffi  (a  ©  c) 

(a  ffi  b)  ©  c  =(a  ®  c)  ffi  (6  0  c) 

Distributivity  is  the  most  useful  operation  in  terms 
of  increasing  the  efficiency  of  computations.  By  in¬ 
spection  of  (37),  we  see  that  the  left  sides  need  to  com¬ 
pute  two  operations  (one  ffi  in  the  parenthesis,  and  one 
©next).  However,  the  right  sides  need  three.  This  fact 
and  the  efficiency  gains  have  been  explored  and  dis¬ 
cussed  at  length  in  the  literature  (Aji  and  McEliece, 
2000).  However,  it  seems  to  be  the  most  difficult  to 
satisfy. 

We  will  just  limit  ourselves  to  discussing  the  flow- 
based  metrics  (presented  in  Sections  2.7  and  2.8)  from 
the  point  of  view  of  distributivity.  The  operators  used 
there  (©  =  min,  ffi  =  +)  do  not  satisfy  distributiv¬ 
ity.  For  this  reason,  only  if  applied  in  a  particular  way 
will  they  return  the  correct  (intended)  result,  which 
is  the  flow  from  the  source  to  the  destination.  If  all 
the  paths  from  the  source  to  the  destination  are  edge- 
independent  (share  no  common  edges),  then  no  partic¬ 
ular  way  is  needed.  But  if  they  are  not  independent, 
then  the  paths  need  to  be  decomposed  into  succes¬ 
sive  segments  comprising  parallel  (edge-independent) 
subpaths  and  common  edges  (a  series-parallel  decom¬ 
position).  Then  the  summary  operator  will  be  applied 
to  the  edge-independent  segments  and  then  the  con¬ 
catenation  operator  will  be  applied  to  the  successive 
segments.  This  could  be  repeated  as  needed.  However, 
this  cannot  be  done  with  all  graphs,  so  other  methods 
for  computing  flows  should  be  used. 

In  the  case  of  Subjective  Logic  (Sec.  2.5)  distrib¬ 
utivity  is  also  not  satisfied.  It  seems  that  where  the 
series-parallel  decomposition  cannot  be  done,  there  is 
no  way  to  do  the  computation,  so  some  graphs  can 
simply  not  be  handled  by  that  algorithm. 
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If  the  two  operators  satisfy  all  the  properties  that 


we  have  assigned  to  them  so  far,  then  the  triplet 
(S,  <S>,  ©)  is  an  algebraic  structure  called  a  semiring. 

5.  ATTACK  RESISTANCE 

Levien  and  Aiken,  in  (Levien  and  Aiken,  1998),  sug¬ 
gested  a  criterion  for  measuring  the  resistance  of  a 
trust  metric  to  attackers.  First,  they  distinguished 
between  two  types  of  attacks:  node  attacks,  and  edge 
attacks.  Node  attacks  amount  to  a  certain  node  being 
impersonated.  So,  the  attacker  can  issue  any  num¬ 
ber  of  arbitrary  opinions  (public  key  certificates  in 
Levien’s  case)  from  the  compromised  node  about  any 
other  node.  Edge  attacks  are  more  constrained:  Only 
one  false  opinion  can  be  created  per  each  attack.  In 
other  words,  an  attack  of  this  type  is  equivalent  to  in¬ 
serting  a  false  edge  in  the  trust  graph.  Obviously,  a 
node  attack  is  the  more  powerful  of  the  two,  since  it 
permits  the  insertion  of  an  arbitrary  number  of  false 
edges. 

The  attack  resistance  of  a  metric  can  be  gauged 
by  the  number  of  node  or  edge  attacks  that  are  needed 
before  the  metric  can  be  manipulated  beyond  some 
threshold.  For  instance,  it  has  been  shown  (Reiter  and 
Stubblebine,  1999)  that  a  single  misbehaving  entity  (a 
1-node  attack)  can  cause  the  metric  proposed  in  (Beth 
et  ah,  1994)  to  return  an  arbitrary  result. 

Here  an  important  clarification  has  to  be  made: 
there  are  trust  graphs  that  are  “weaker”  than  others. 
When,  for  example,  there  exists  only  a  single,  long 
path  between  the  source  and  the  destination,  then  any 
decent  metric  is  expected  to  give  a  low  trust  value.  So, 
the  attack  resistance  of  a  metric  is  normally  judged  by 
its  performance  in  these  “weak”  graphs. 

CONCLUSIONS 

We  have  presented  an  algebraic  framework  that  unifies 
many  trust  computation  algorithms.  By  focusing  on 
the  algebraic  properties  of  the  algorithms  under  this 
framework,  we  are  able  to  compare  them  in  a  much 
more  rigorous  way.  We  have  shown  links  between  the 
properties  and  considerations  that  can  arise  in  prac¬ 
tical  implementations.  As  a  result,  we  believe  that  a 
security  practitioner  can  benefit  from  our  exposition 
by  adapting  a  particular  metric  to  his  own  specifica¬ 
tions,  or  even  designing  a  new  one.  In  the  future,  we 
will  further  pursue  the  formal  evaluation  of  the  resis¬ 
tance  of  metrics  to  attacks. 
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